Umbraco 5 micro caching can cause information disclosure
Hi,
I recently deployed an Umbraco 5 site that allowed users to register etc. I did not realise at the time that the Umbraco 5 installation ships with a micro-caching strategy enabled. This resulted in the site occasionally disclosing login names and address details of other users to some users, as it was returning cached versions of individualised pages e.g. example.com/myaccount would show the details of someone else's account if two people hit the page within 1 second of each other, as there was no variation in querystring or POSTed content. Needless to say, this was a very embarassing security hole. Can I suggest that this feature be turned off by default?
Also, perhaps using http://mvcdonutcaching.codeplex.com/ would allow developers to do partial page caching, rather than the all-or-nothing approach that it ships with at present.
Pages now still load in 50ms, like they did with normal OutputCache, but can contain user specific content or content that has a different caching profile than the main Umbraco content.
If you need more information, don't hesitate to reply in this thread.
Umbraco 5 micro caching can cause information disclosure
Hi,
I recently deployed an Umbraco 5 site that allowed users to register etc. I did not realise at the time that the Umbraco 5 installation ships with a micro-caching strategy enabled. This resulted in the site occasionally disclosing login names and address details of other users to some users, as it was returning cached versions of individualised pages e.g. example.com/myaccount would show the details of someone else's account if two people hit the page within 1 second of each other, as there was no variation in querystring or POSTed content. Needless to say, this was a very embarassing security hole. Can I suggest that this feature be turned off by default?
Also, perhaps using http://mvcdonutcaching.codeplex.com/ would allow developers to do partial page caching, rather than the all-or-nothing approach that it ships with at present.
Hi,
I've given the Donut Caching package a try, and I can report that it's actually working great with Umbraco 5.1 :)
In order for this to work I had to make a custom build of the MvcDonutCaching package, as well as Umbraco 5.1.
file: Umbraco.Cms.Web/Mvc/Controllers/UmbracoController.cs, change line 29 to [DonutOutputCache(CacheProfile = "umbraco-default")]
is working on a reply...